Federal Communications Commission Chairwoman Jessica Rosenworcel has ordered mobile carriers to explain what geolocation data they collect from customers and how they use it. Rosenworcel’s probe could be the first step toward stronger action—but the agency’s authority in this area is in peril because Congress is debating a data privacy law that could preempt the FCC from regulating carriers’ privacy practices.
Rosenworcel sent letters of inquiry Tuesday “to the top 15 mobile providers,” the FCC announced. The chairwoman’s letters asked carriers “about their policies around geolocation data, such as how long geolocation data is retained and why and what the current safeguards are to protect this sensitive information,” the FCC said.
The letters also “probe carriers about their processes for sharing subscriber geolocation data with law enforcement and other third parties’ data-sharing agreements. Finally, the letters ask whether and how consumers are notified when their geolocation information is shared with third parties,” the FCC said.
“Mobile Internet service providers are uniquely situated to capture a trove of data about their own subscribers, including the subscriber’s actual identity and personal characteristics, geolocation data, app usage, and web browsing data and habits,” the letters say. Under US communications law, carriers are prohibited from using or sharing private information except under specific circumstances.
Rosenworcel told carriers to answer the questions by August 3. Letter recipients included the big three carriers AT&T, T-Mobile, and Verizon; cable companies Comcast and Charter, which resell mobile service; mobile operators Consumer Cellular, C-Spire, Dish, Google, H2O Wireless, Lycamobile, Mint Mobile, Red Pocket, and US Cellular; and Best Buy Health, which operates the medical-focused Lively mobile service.
FCC has authority over phone privacy… for now
The FCC letters pointed out that in February 2020, it proposed fines totaling $208 million after AT&T, Sprint, T-Mobile, and Verizon were caught “selling access to their customers’ location information without taking reasonable measures to protect against unauthorized access to that information.” While that practice is believed to have been stopped, this week’s FCC letters said there’s still reason to worry about the data collected by carriers:
These carriers voluntarily determined to end the sale of real-time location information to location aggregation services However, last year, a report by the Federal Trade Commission that studied ISPs representing 98 percent of the mobile Internet market observed that ISPs collect more data than is necessary to provide services and more data than consumers expect.
The $208 million in proposed fines is apparently still pending, but the FCC said it “has ensured that these carriers are no longer monetizing their consumers’ real-time location in this way, and the agency is continuing its investigation into these practices.”
The FCC inquiry is important “in light of the long history of abuses by carriers selling this kind of detailed and hyper-accurate information to law enforcement, bounty hunters, and even stalkers,” said Harold Feld, senior VP of consumer advocacy group Public Knowledge. Mobile carriers “have unique access to highly accurate geolocation information—known as A-GPS—designed so that 911 responders can find a caller with pinpoint accuracy,” and have “access to other information that can be combined with geolocation to produce a detailed picture of a person’s activities far beyond what applications on the handset can provide,” Feld said.
Although the FCC gave up its Title II authority over broadband under former Chairman Ajit Pai, Feld noted that the agency still has substantial authority over phone service. “The FCC has specialized power to force carriers to respond,” Feld wrote. “It has the power to impose transparency requirements to reveal when law enforcement abuses the legal process to obtain deeply personal phone information. It has the power to require specific data minimization and data protection obligations if necessary. The FCC has used this power in the past to create new rules in response to revelations that stalkers had access to carrier information, and should not hesitate to use its regulatory powers again if necessary.”